From d13739532d51ead4f46f68e1fc221d4d4a9de594 Mon Sep 17 00:00:00 2001
From: eahefnawy <eahefnawy@gmail.com>
Date: Mon, 14 Oct 2024 16:04:10 +0000
Subject: [PATCH 1/3] chore(github): setup Github oidc

---
 .github/workflows/main.yml      | 9 ++++++---
 .github/workflows/pr-deploy.yml | 9 ++++++---
 .github/workflows/pr-remove.yml | 9 ++++++---
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 603bb5b..cb68786 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -24,11 +24,14 @@ jobs:
           cmd: |
             yq -i '.stages.prod.params.customDomainName = "${{ vars.CUSTOM_DOMAIN_NAME }}"' serverless-compose.yml
             yq -i '.stages.prod.params.customDomainCertificateARN = "${{ vars.CUSTOM_DOMAIN_CERTIFICATE_ARN }}"' serverless-compose.yml
-      - name: Serverless Deploy
+      - name: Configure AWS Credentials - Serverless Marketing AWS Account
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::488110005556:role/GithubActionsDeploymentRole
+          aws-region: us-east-1
+      - name: Serverless Deploy - Prod
         uses: serverless/github-action@v4
         with:
           args: deploy --stage prod
         env:
           SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/pr-deploy.yml b/.github/workflows/pr-deploy.yml
index d7b1756..07004e9 100644
--- a/.github/workflows/pr-deploy.yml
+++ b/.github/workflows/pr-deploy.yml
@@ -18,11 +18,14 @@ jobs:
           cache: "npm"
       - name: Install dependencies
         run: npm ci
-      - name: serverless deploy
+      - name: Configure AWS Credentials - Serverless Marketing AWS Account
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::488110005556:role/GithubActionsDeploymentRole
+          aws-region: us-east-1
+      - name: Serverless Deploy - PR Preview
         uses: serverless/github-action@v4
         with:
           args: deploy --stage pr-${{ github.event.pull_request.number }}
         env:
           SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/pr-remove.yml b/.github/workflows/pr-remove.yml
index d93890b..91ac267 100644
--- a/.github/workflows/pr-remove.yml
+++ b/.github/workflows/pr-remove.yml
@@ -18,11 +18,14 @@ jobs:
           cache: "npm"
       - name: Install dependencies
         run: npm ci
-      - name: serverless remove
+      - name: Configure AWS Credentials - Serverless Marketing AWS Account
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::488110005556:role/GithubActionsDeploymentRole
+          aws-region: us-east-1
+      - name: Serverless Remove - PR Preview
         uses: serverless/github-action@v4
         with:
           args: remove --stage pr-${{ github.event.pull_request.number }}
         env:
           SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

From b69e4b67aedeb82b1e0efbd944c44e7fb23727cd Mon Sep 17 00:00:00 2001
From: eahefnawy <eahefnawy@gmail.com>
Date: Tue, 15 Oct 2024 12:57:57 +0000
Subject: [PATCH 2/3] chore(github): add workflow permissions

---
 .github/workflows/main.yml      | 5 +++++
 .github/workflows/pr-deploy.yml | 5 +++++
 .github/workflows/pr-remove.yml | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index cb68786..2f801ab 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -5,6 +5,11 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
 jobs:
   deploy:
     name: deploy-prod
diff --git a/.github/workflows/pr-deploy.yml b/.github/workflows/pr-deploy.yml
index 07004e9..3a5ef8e 100644
--- a/.github/workflows/pr-deploy.yml
+++ b/.github/workflows/pr-deploy.yml
@@ -5,6 +5,11 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
 jobs:
   remove:
     name: deploy-pr-preview
diff --git a/.github/workflows/pr-remove.yml b/.github/workflows/pr-remove.yml
index 91ac267..50b4904 100644
--- a/.github/workflows/pr-remove.yml
+++ b/.github/workflows/pr-remove.yml
@@ -5,6 +5,11 @@ on:
     types:
       - closed
 
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
 jobs:
   remove:
     name: remove-pr-preview

From a63b141deeab4f475eafae871dfd51c560d621cd Mon Sep 17 00:00:00 2001
From: eahefnawy <eahefnawy@gmail.com>
Date: Tue, 15 Oct 2024 13:03:25 +0000
Subject: [PATCH 3/3] chore(github): use v4 of aws creds GA

---
 .github/workflows/main.yml      | 2 +-
 .github/workflows/pr-deploy.yml | 2 +-
 .github/workflows/pr-remove.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 2f801ab..e0aa6df 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -30,7 +30,7 @@ jobs:
             yq -i '.stages.prod.params.customDomainName = "${{ vars.CUSTOM_DOMAIN_NAME }}"' serverless-compose.yml
             yq -i '.stages.prod.params.customDomainCertificateARN = "${{ vars.CUSTOM_DOMAIN_CERTIFICATE_ARN }}"' serverless-compose.yml
       - name: Configure AWS Credentials - Serverless Marketing AWS Account
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::488110005556:role/GithubActionsDeploymentRole
           aws-region: us-east-1
diff --git a/.github/workflows/pr-deploy.yml b/.github/workflows/pr-deploy.yml
index 3a5ef8e..3c2a3c6 100644
--- a/.github/workflows/pr-deploy.yml
+++ b/.github/workflows/pr-deploy.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Install dependencies
         run: npm ci
       - name: Configure AWS Credentials - Serverless Marketing AWS Account
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::488110005556:role/GithubActionsDeploymentRole
           aws-region: us-east-1
diff --git a/.github/workflows/pr-remove.yml b/.github/workflows/pr-remove.yml
index 50b4904..b94d481 100644
--- a/.github/workflows/pr-remove.yml
+++ b/.github/workflows/pr-remove.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Install dependencies
         run: npm ci
       - name: Configure AWS Credentials - Serverless Marketing AWS Account
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::488110005556:role/GithubActionsDeploymentRole
           aws-region: us-east-1